Computer programs often contain flaws, and in some instances these flaws can be exploited in such a way that a security or privacy violation is possible. Conventionally, these flaws could only be prevented by careful testing and code review. Unfortunately, these techniques are not perfect and often production code is released with security flaws. It is desirable to detect a flaw and intervene at the time of attack.
Certain operating systems, such as Microsoft® Windows®, provide an exception handling (EH) model. Exception handling is a service (e.g., an operating system provided service) that operates or calls a particular function in response to a fault. Various exception handlers are typically implemented to handle various faults or exceptions that may occur. Functions that use exception handling may put information, such as pointers to the appropriate exception handling functions, in an EH registration on the stack. This has provided attackers with an opportunity to maliciously attack the EH model. In particular, an attacker can overrun a buffer and supply a value that causes an access violation, which in turn raises an exception. A buffer overrun typically provides the opportunity to rewrite a return address and the frame pointer. This is known as return address hijacking. It is noted that the exception handling function pointers are also vulnerable to hijacking. During stack unwinding, the operating system looks to the exception frames for exception handlers to which it should pass control. Because the exception handling frame was corrupted (e.g., by being overwritten), the operating system passes control of the program to arbitrary code supplied by the attacker. It is thus desirable to intervene in the middle of an attack and stop an attacker from hijacking the computer or otherwise interfering with the normal operation of the computer.
In view of the foregoing, there is a need for systems and methods that overcome the limitations and drawbacks of the prior art.